IT Asset Management - IT Asset Control

PURPOSE

To provide guidelines necessary to control and collect information about IT assets.

In accordance with the COV ITRM 501-01, IT asset control must be commensurate with sensitivity and risk and policies and procedures applied accordingly.

The IT Asset Control Standard is applicable to the System Office and all Colleges.

Commonwealth of Virginia policies and procedures for asset management are already a requirement and the System Office and Colleges may have an individual assigned to this duty for overall asset management. The following are general guidelines that enhance the general asset management process. IT personnel are encouraged to maintain their own records; especially those components that are associated with the Business Impact Analysis and Risk Assessment processes. The System Office or college should ensure IT asset management is a component of the current asset management program or take measures to assign an individual to perform this duty. Access to IT asset inventory records should be restricted to a need-to-know basis. IT employees may be of assistance when an IT asset inventory is conducted since some components are difficult to identify if included within a larger system.

As long as the requirements are adhered to, IT employees may perform the following requirements or this function may fall under the responsibility of the employee currently assigned for overall asset management.

The System Office and college must have a policy in place that indicates if IT assets may be removed from the premises and identify the controls over such removal. This should include a form that is completed and signed by the requesting individual and approved by the supervisor or other authority as deemed necessary by the System Office or college. An example equipment check out form is included at the end of this standard; colleges may create their own forms as long as compliance is maintained.

The System Office and college must have a policy in place that indicates if personal IT assets are allowed on the premises and identify the controls over such allowance.

Recommendation (note: personal is defined below as those items owned by the employee)

Prudence dictates that the System Office and colleges adopt a policy of no personal IT assets or limited personal IT assets allowed on campus. The prevalence of portable devices makes it difficult to monitor personal IT assets such as jump drives, PDA’s, iPods, and similar assets. Any of these devices can be used to compromise sensitive and confidential information and consume network resources. The System Office and colleges should develop policies and procedures covering all types of personal IT assets and train and inform employees during security awareness training. The policy should address security measures such as corruption of college systems when connecting personal devices and the portability of confidential and sensitive information.

The System Office and college personnel who bring personal property on campus do so at their own risk. Personal property of any individual brought on site is the responsibility of the individual. The System Office or college can assume no liability for loss, theft, or damage. Such property should bear a note or tag showing that it is personal property and listing the owner's name.

The VCCS and individual college must have a detailed standard and procedure in place to comply with the Removal of Commonwealth Data from Surplus Computer Hard Drives and Electronic Media Standard (ITRM Standard SEC2003-02.1). The standard and procedure should list the detailed steps to be taken by all applicable personnel including the IT asset management employee, technicians, and similar personnel. If removal equipment or software is utilized, specific instructions should be provided for all personnel.

 

Equipment Check Out Record
Name:
Date:
Home Telephone Number:
Office Telephone Number:
item description:
inventory id:
serial number:
item description:
inventory id:
serial number:
item description:
inventory id:
serial number:
I hereby accept custody of the above equipment belonging to <College Name> for official off-campus use. Should the equipment be lost or damaged through negligence on my part, I assume full responsibility for such equipment and I shall make payment to the College at the price shown on the Equipment Inventory Record. I understand the College may require return of the equipment at any time. In the event that the custody of the above equipment is to be for an extended length of time, this form must be updated every six months, on February 1 and again on September 1. I hereby acknowledge that it is my responsibility to update this form and re-submit to the Fixed Assets Control Officer as required. The Fixed Assets Control Officer will provide check-out forms semi-annually prior to the resubmission dates. Guidelines for Employee Equipment Check Out 1. Only the college employee listed as the Temporary Custodian may use the computer and associated hardware/software. 2. No software is to be loaded by the Temporary Custodian. 3. No games are to be loaded by the Temporary Custodian. 4. If a problem occurs, all troubleshooting and repair to the PC is to be done by the College. 5. All troubleshooting and repair work, will be done at the College.
Date of anticipated equipment return:
Note: Equipment must be returned immediately if requested by the College.
Signature of Temporary Custodian:
Date of Equipment Check Out:
Signature of Temporary Custodian:
Date of Equipment Check Out: